
RedTiger Stealer: GoFile + Discord-Webhook Exfiltration
A single-host smash-and-grab infostealer intrusion. An artist ran a PyInstaller-compiled executable disguised as a Roblox FPS-unlocker mod that was actually the open-source RedTiger stealer. In one short burst it unpacked to Temp, blackholed security-vendor domains in the hosts file, persisted via the Startup folder, injected JavaScript into the Discord client, and archived Discord tokens, browser credentials and cards, a crypto wallet, a webcam frame, and a screenshot. Exfiltration ran in two stages over legitimate cloud: the loot ZIP was uploaded to GoFile, then the download link plus victim recon was posted to a Discord webhook. Reconstruct the kill chain from SIEM, endpoint XDR, and perimeter firewall telemetry, and classify the key ATT&CK techniques.
Launches today
Friday, July 3, 2026 at 9:00 AM
Pro unlocks this operation at launch.
Training Tools
What you'll investigate
7 objectives unlock when this operation goes live.
Be first when it launches
Create your account and grab Pro before launch. The moment this operation goes live on Jul 3, 2026, you can jump straight in.
Get Started FreeNo credit card required — free forever